Network security consists of the provisions made in an underlying computer network infrastructure, policies adopted by the network administrator to protect the network and the network related resources from unauthorized access combined with consistent and continuous monitoring and measurement of effectiveness. Two existing network security challenges include ensuring anonymous communications and preventing unwanted data dissemination from a network, i.e., data exfiltration.
Ensuring anonymous communications will be described first. Assume a web client communicates with a web server, and the client wishes to be anonymous. The client might choose to use a real-time anonymity system, such as Tor or a Peer-to-Peer (P2P) anonymity system. Tor is a free software implementation of second-generation onion routing. Tor helps a network user defend against traffic analysis by bouncing their communications around a distributed network of relays run by volunteers all around the world. A P2P anonymity system is an anonymous Internet Protocol (IP) network overlay that uses layered encryption and multi-hop routing, as will be discussed in more detail below with reference to FIG. 1.
FIG. 1 illustrates a communication network that employs a conventional P2P anonymity system. In the figure, communication network 100 includes a client 102, a server 104, a mix router circuit 106 and an eavesdropper 108. In this example, mix router circuit 106 includes mix router 110, mix router 112, mix router 114 and mix router 116. For illustrative purposes, client 102 is depicted as including a Network Address Translator (NAT) 118. Typically a NAT would be deployed somewhere near the firewall on the entry/exit point for network traffic flowing into and out of an organization's network. To those of skill in the art, NAT refers to a standardized network address translation algorithm. For example, although Tor uses different addresses between each pair of mix routers, Tor would not be considered a NAT because it has a different algorithm.
Each of client 102, mix router 110, mix router 112, mix router 114, mix router 116 and server 104 may be any known type of data processing system that is operable to perform functions. These functions may be performed based on instructions that may be stored each device, respectively, or may be stored on a data processing system readable medium that is accessible by each device, respectively.
Client 102 is operable to send data 120 to plurality of mix routers 106 and to receive data 122 from mix router circuit 106. Server 104 is operable to receive data 124 from mix router circuit 106 and to send data 126 to mix router circuit 106. Eavesdropper 108 is operable to, at least, receive data 128 from mix router circuit 106. Mix router 110 is operable to send data 130 to mix router 112, to send data 132 to mix router 116 and to send data 134 to mix router 114. Mix router 112 is operable to send data 136 to mix router 110, to send data 138 to mix router 114 and to send data 140 to mix router 116. Mix router 114 is operable to send data 142 to mix router 112, to send data 144 to mix router 116 and to send data 144 to mix router 110. Mix router 116 is operable to send data 148 to mix router 114, to send data 150 to mix router 110 and to send data 152 to mix router 112. Any one of mix router 110, mix router 112, mix router 114 and mix router 116 is additionally operable to receive data 120 from client 102, to receive data 126 from server 104, to transmit data 122 to client 102 or to transmit data 124 to server 104.
NAT 118 is used to bridge between client 102 and oblivious server 104. In other words, server 104 does not know the identity of client 102. In an attempt to maintain such anonymity, client 102 encrypts data 120 for transmission through mix router circuit 106. The last mix router ultimately forwards data from client 102 to server 104. The reverse communication data are sent back through the same mix routers, in reverse order. Ideally, at each mix router, an adversary is unable to determine which outgoing packet corresponds to a given incoming packet. A common technique to this end is to have client 102 multiply encrypt data it sends and then have each mix router decrypt one layer of the encryption (similar to peeling an onion). One example of such transmission will now be described below.
To maintain anonymity from server 104, client 102 transmits data 120 through a pseudo-random pathway within mix router circuit 106. When encrypting data 120, NAT 118 provides an encryption level for each leg of the transmission such that an originating address is pseudo-randomly mapped to a destination address. In this example, presume that NAT 118 encrypts data 120, such that data 120 will transmit along a data path: from client 102 to mix router 112; from mix router 112 to mix router 110; from mix router 110 to mix router 114; from mix router 114 to mix router 116; and then from mix router 116 to server 104.
Therefore, when encrypting data 120, NAT 118 provides four encryptions for data 120, the first encryption of which includes a first destination address as mix router 112. Upon receipt of data 120, mix router 112 decrypts the first level of encryption, which then maps the originating address of client 102 to destination address of mix router 110. Because data 120 has been decrypted by mix router 112, data 120 is transformed into data 136.
Upon receipt of data 136, mix router 110 decrypts the second level of encryption, which then maps the originating address of mix router 112 to destination address of mix router 114. Because data 136 has been decrypted by mix router 110, data 136 is transformed into data 134.
Upon receipt of data 134, mix router 114 decrypts the third level of encryption, which then maps the originating address of mix router 110 to destination address of mix router 116. Because data 134 has been decrypted by mix router 114, data 134 is transformed into data 144.
Upon receipt of data 144, mix router 116 decrypts the fourth and final level of encryption, which then maps the originating address of mix router 114 to destination address of server 104. Because data 144 has been decrypted by mix router 116, data 144 is transformed into data 124.
As discussed by example above, data 120 from client 102 is multiply encrypted by NAT 118, and decrypted once by each of mix routers 110, 112, 114 and 116. All traffic between client 102 and server 104 is forwarded back and forth through mix router circuit 106. Such an encryption scheme may successfully maintain anonymity between client 102 and server 104. In should be noted that although the present example uses a mix router circuit having four mix routers, additional mix routers may be used to increase the level of anonymity.
The real-time anonymity systems discussed above are not designed to protect against certain traffic analysis attacks, such as intersection attacks. An intersection attack occurs when an attacker maps incoming packets to a mix router to outgoing packets, over multiple distinct time intervals, in order to identify the address of a particular client. This will be discussed below.
Presume that eavesdropper 108 is monitoring the packets arriving at server 104 and desires to determine the address of client 102. Further, presume that eavesdropper 108 knows that mix routers 110, 112, 114 and 116 make up mix router circuit 106 and that all data passed through mix router circuit 106 travels along a pseudo-random path. Eavesdropper 108 may ultimately determine the address of client 102 by performing a series of intersection attacks on mix routers 110, 112, 114 and 116. Eavesdropper 108 knows the source address of packets sent from the last mix router in the circuit to the server. It will perform an intersection attack to learn the address of the preceding mix router in the circuit. It can then perform an intersection attack on that mix router to find the address of the mix router that precedes that one, and so on, until it finds the address of the client.
For example, say that eavesdropper 108 performs an initial intersection attack on mix router 114. The object is to determine the source address for data received by mix router 114. In this case eavesdropper 108 will monitor via signal 128 the data 134, data 138, data 148, data 142, data 146 and data 144. The identity of the previous mix router is the source address within the data received by router 114. However, as discussed above, the data received by router 114 is encrypted to provide anonymity of the source address. To attack such anonymity, eavesdropper 128 records the incoming source addresses and outgoing destination addresses for multiple distinct time periods. This will be described in more detail below, with reference to FIG. 2.
As illustrated in the figure, it is determined that mix router 114 receives, at a first time period T1, a data packet having an origination address of s1, then receives a data packet having an origination address of s2 and then receives a data packet having an origination address of s5. Further, it is determined that mix router 114 transmits a data packet having a destination address of d1, then transmits a data packet having a destination address of d3 and then transmits a data packet having a destination address of d4.
As illustrated in the figure, it is then determined that mix router 114 receives, at a second time period T2, a data packet having an origination address of s1, then receives a data packet having an origination address of s3 and then receives a data packet having an origination address of s4. Further, it is determined that mix router 114 transmits a data packet having a destination address of d2, then transmits a data packet having a destination address of d3 and then transmits a data packet having a destination address of d5.
As illustrated in the figure, it is then determined that mix router 114 receives, at a third time period T3, a data packet having an origination address of s2, then receives a data packet having an origination address of s3 and then receives a data packet having an origination address of s5. Further, it is determined that mix router 114 transmits a data packet having a destination address of d1, then transmits a data packet having a destination address of d2 and then transmits a data packet having a destination address of d4.
As illustrated in the figure, it is then determined that mix router 114 receives, at a fourth time period T4, a data packet having an origination address of s1 and then receives a data packet having an origination address of s4. Further, it is determined that mix router 114 transmits a data packet having a destination address of d3 and then transmits a data packet having a destination address of d5.
With enough mappings, eavesdropper 128 can obtain the origination address for the previous mix router, which in this example is mix router 110. So if eavesdropper 128 desires to identify client 102, it could proceed to eavesdrop in this same manner on mix router 110, and finally on mix router 112 to identify client 102.
The discussion will now turn to the second network security challenge discussed above, data exfiltration. This will be described with reference to FIG. 3.
FIG. 3 illustrates a communication network that employs a conventional P2P anonymity system. In the figure, communication network 300 includes a client 302, a server 304, a secure network 306 and an adversary 308. A “secure” network is generally referred to as a network that encrypts application data as it traverses over the network.
Client 302 is operable to send data 310 to secure network 306 and to receive data 312 secure from network 306. Server 304 is operable to receive data 314 from secure network 306 and to send data 316 to secure network 306. In this example, data 314 corresponds to data 310 whereas data 312 corresponds to data 316, such that client 302 securely communicates with server 304.
Adversary 308 is unable to directly intercept data from secure network 306. In this example, assume there is a malicious process 318 running on client 302. Malicious process 318 has access to confidential data within client 302, and desires to transfer this data to adversary 308. Network access controls may prevent client 302 from connecting with adversary 308, even with assistance from malicious process 318. Therefore, malicious 318 process needs to find another method of sending the data. One such method is a network covert channel. Although there are multiple channels, the hardest to defeat is the packet interarrival timing channel, as will be discussed in more detail below.
When client 302 sends data 310 through secure network 306, in actuality client 302 sends a plurality of packets of bits of data. These packets of bits of data or “data packets” are arranged based on predetermined protocols, and may include specific groups of arranged data fields, non-limiting examples of which include a header, an origination address, a destination address, type of data, data payload, etc. Further, these data packets may be spaced from one another in time. This time spacing may be modulated to covertly transmit data to adversary 308.
For example, adversary 308 may eavesdrop on a link within secure network 306. Presume in this example that adversary 308 is unable to directly access or interpret the data within secure network 306 as a result of the encryption system within secure network 306. In any event as data packets pass through the monitored link, adversary 308 merely monitors the timing differences between the data packets. Now, presume that malicious process 318 has modulated the timing of the data packets, without even changing the data within the data packets. In this manner, the modulated timing differences between the packets are used to encode bits of information, which adversary 308 detects. As such, malicious process 318 is able to exfiltrate data from client 302 to adversary 308, even in the face of a secure network.
In the above discussed example, the detection task of adversary 308 is made much easier if there are some packet characteristics that can be used to filter out other traffic, such as a constant source and/or destination address. A defense against data exfiltration helps to serve as an additional defensive layer against host and application vulnerabilities, since an attacker will be unable to leak confidential data in a timely manner. Thus it is needed to maintain information, including location, privacy for a fixed period of time, in the presence of Trojan horses (a class of computer threats that appears to perform a desirable function but in fact performs undisclosed malicious functions that allow unauthorized access to the host machine) on the protected host or network.
Since there is no proven effective solution for network anonymity problem and data exfiltration problem discussed above, network users are not secure enough due to the leak of confidential information while accessing network.
What is needed is a solution that can ensure anonymous communications and prevent data exfiltration from a network.